Hello,
After client (Thunderbird, now version 31.0) updated today, it stopped connecting to Dovecot IMAP4S. The infamous "SSL alert number 42" is reported.
Mail server uses local (created for intranet) CA certificate as root.
I would appreciate pieces of advice on how to handle that without enabling plaintext authentication over insecure channels.
Other intranet services work with this local CA quite fine.
Thank you in advance. Required data:
# dovecot --version 2.0.9
# doveconf -n
# 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-431.5.1.el6.x86_64 x86_64 CentOS release 6.5 (Final) auth_username_format = %n default_process_limit = 1200 disable_plaintext_auth = yes first_valid_uid = 300 mail_location = mbox:~/mail:INBOX=/var/mail/%n mail_privileged_group = mail mbox_write_locks = fcntl passdb { driver = pam } protocols = imap pop3 service anvil { client_limit = 6000 } service auth { client_limit = 6000 } ssl_ca =
Records posted to Dovecot log file:
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=554: fatal bad certificate [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [10.x.x.x] Jul 23 11:01:26 mailserver dovecot: imap-login: Disconnected (no auth attempts): rip=10.x.x.x, lip=10.y.y.y, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42
Sincerely, Konstantin